Microsoft Adfs+shibboleth Configure federated authentication + Single Sign-on service

The previous time because the customer needs to build a single sign-on (SSO) system, implemented using Shibboleth, can access a specific Web resource when the user name and password in the ad as login credentials, where shibboleth as Sp,adfs as the IDP.

The base test server requires at least two, one (Server a) installs Windows Server 2012 for ADCs, ADDS, ADFS, and SQL Server, and the other (Server B) installs CentOS 6.6 for Web servers, Shibboleth SP.

The key steps are as follows: Configure individual server components, configure server certificates, configure Shibboleth configuration files (shibboleth2.xml), configure ADFS to add relying party trusts. Here is a detailed explanation.

Configure Server A

1. Installing Windows Server 2012

2. Installing Microsoft SQL Server 2012

3. Add a new Administrator account (not administrator) and add it to the Administrators group (Administrators) and use this user to log in and manage the server later, and no longer use administrator.

4. Add a service account and add it to the Iis_iusers group before you may need to install the IIS service

5. Adjust the power management policy to remove screen lock, remove "password protection on wakeup" and "No password required" in "Power Options"

6. Adjust the computer name to shorten it, such as ds,ad, etc., depending on the circumstances

7. Install the adds feature, promote the server to a domain controller, set the netbiosyuming appropriately, and do not use DNS delegation.

8. Install the appropriate browser, such as Chrome, and cancel the IE Enhanced Security configuration, install the appropriate input method and set as the default input method, install the decompression program, such as WinRAR.

9. Install AD CS and configure the root certificate installed, the name is easy to remember and easily distinguished, the root certificate (CA certificate) is generally named "hostname + two-level domain name +CA", such as a domain is Ds.com,adcs the name of the computer name of the CA named DS is generally "DS-DS-CA".

10. Install ADFS before you add the administrator account that you previously created (which can be completed in step 7) to the Domian adminis container (user group).

11. Add the service account created in step 4th to the login license for SQL Server, that is, "The specified service account has logon access to the database", does not specify a DB instance name, and if you do not specify a name, the default is to create "Adfsartifactstore" and " Adfsconfiguration "two databases.

12. During the installation of ADFS, ADCs will create the required certificate for ADFS itself and issue it to the host name + primary DNS suffix, such as a certificate name of DS for a domain Ds.com,adcs that is typically "ds.ds.com". This domain name is used for the Federation name and Federation Service identifier of ADFS, and the full Federation Service identifier is used by Shibboleth.

Configure Server B, server select CentOS6.6 64-bit

1. Compile and install the httpd, optionally installing the latest OpenSSL

2. Compile and install Shibboleth

wget http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.8.tar.gz
wget http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.5.3.tar.gz
wget http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.5.3.tar.gz
wget http://www.apache.org/dyn/closer.cgi?path=/santuario/c-library/xml-security-c-1.7.2.tar.gz
wget http://mirrors.cnnic.cn/apache/santuario/c-library/xml-security-c-1.7.2.tar.gz
wget http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.5.3.tar.gz

Tar zxf log4shib-1.0.8.tar.gz
CD log4shib-1.0.8
./configure--disable-static--disable-doxygen--PREFIX=/OPT/SHIBBOLETH-SP
Cd..
Tar zxf xerces-c-3.1.1.tar.gz
CD xerces-c-3.1.1
./configure--PREFIX=/OPT/SHIBBOLETH-SP--disable-netaccessor-libcurl
Cd..
CD log4shib-1.0.8
Make
Make install
Cd..
CD xerces-c-3.1.1
Make
Make install
Cd..
Tar zxf xml-security-c-1.7.2.tar.gz
CD xml-security-c-1.7.2
./configure--without-xalan--disable-static--prefix=/opt/shibboleth-sp--with-xerces=/opt/shibboleth-sp
Make
Make install
Cd..
Tar zxf xmltooling-1.5.3.tar.gz
CD xmltooling-1.5.3
./configure--WITH-LOG4SHIB=/OPT/SHIBBOLETH-SP--prefix=/opt/shibboleth-sp-c
Make
Make install
Cd..
Tar zxf opensaml-2.5.3.tar.gz
CD opensaml-2.5.3
./configure--WITH-LOG4SHIB=/OPT/SHIBBOLETH-SP--prefix=/opt/shibboleth-sp-c
Make
Make install
Cd..
wget http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.5.3.tar.gz
Tar zxf shibboleth-sp-2.5.3.tar.gz
CD shibboleth-sp-2.5.3
./configure--with-log4shib=/opt/shibboleth-sp--enable-apache-24--with-apxs24=/usr/local/httpd/bin/apxs--prefix =/OPT/SHIBBOLETH-SP--with-apr1=/usr/local/apr-httpd/bin/apr-1-config--with-apu1=/usr/local/apr-util-httpd/bin/ Apu-1-config
Make
Make install

3. Configure the Shibboleth configuration file (shibboleth2.xml) to check the legality of the file with Shibd-t.

<spconfig xmlns= "Urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf= "Urn:mace:shibboleth:2.0:native:sp:config"
Xmlns:saml= "Urn:oasis:names:tc:saml:2.0:assertion"
xmlns:samlp= "Urn:oasis:names:tc:saml:2.0:protocol"
Xmlns:md= "Urn:oasis:names:tc:saml:2.0:metadata"
Clockskew= ">"
<OutOfProcess>
<Extensions>
<library path= "/opt/shibboleth-sp/lib/shibboleth/adfs.so" fatal= "true"/>
</Extensions>
</OutOfProcess>
<inprocess logger= "Native.logger" >
<Extensions>
<library path= "/opt/shibboleth-sp/lib/shibboleth/adfs-lite.so" fatal= "true"/>
</Extensions>
</InProcess>
<requestmapper type= "Native" >
<RequestMap>
<path name= "/admin" authtype= "Shibboleth" requiresession= "true"/>
</Host>
</RequestMap>
</RequestMapper>
<applicationdefaults entityid= "Https://ssl.ds.cn/shibboleth" homeurl= "https://ssl.ds.cn"
Remote_user= "Eppn persistent-id Targeted-id" signing= "false" encryption= "false" attributeprefix= "AJP_" >
<sessions lifetime= "28800" timeout= "3600" relaystate= "Ss:mem"
Checkaddress= "false" handlerssl= "true" cookieprops= "https" >
<sso entityid= "Http://ds.ds.cn/adfs/services/trust"
Discoveryprotocol= "Samlds" discoveryurl= "Https://ds.example.org/DS/WAYF" >
SAML2 SAML1
</SSO>
&LT;LOGOUT&GT;SAML2 local</logout>
</Sessions>
<errors supportcontact= "[Email protected]"
helplocation= "/about.html"
stylesheet= "/shibboleth-sp/main.css"/>
<metadataprovider type= "XML" file= "Ds.ds.cn-metadata.xml"/>
<attributeextractor type= "XML" validate= "true" reloadchanges= "false" path= "Attribute-map.xml"/>
<attributeresolver type= "Query" subjectmatch= "true"/>
<attributefilter type= "XML" validate= "true" path= "Attribute-policy.xml"/>
<credentialresolver type= "File" key= "Ssl.ds.cn.key" certificate= "Ssl.ds.cn.cer" password= "xxxxx"/>
</ApplicationDefaults>
<securitypolicyprovider type= "XML" validate= "true" path= "Security-policy.xml"/>
<protocolprovider type= "XML" validate= "true" reloadchanges= "false" path= "Protocols.xml"/>
</SPConfig>

4. Configure HTTPD server, including SSL access, Shibboleth module

When you configure SSL, you need to request a certificate from Windows ADCs, with the following commands:
OpenSSL genrsa-des3-out Ssl.ds.cn.key
OpenSSL req-new-days 365-key ssl.ds.cn.key-out Ssl.ds.cn.req.pem

Upload this file to server A, at which point you can submit your request to ADCs through the Ssl.ds.cn.req.pem file by "CertSrv", "certification Authority"--"All Tasks" by right-clicking on the authority name- > "Submit a new request"--Browse the file "" and in "Pending request", "issue" Certificate in "issued certificate" and export "Binary certificate" in the format of CER.

Note that when you export a CER certificate on a Windows system, be sure to select the BASE64 encoded CER) "Format, you can open the file through a text-editing program, which can be used on Linux systems if you can read it instead of binary. For example, the correct format is:

[Email protected] ~]# Cat/usr/local/httpd/conf/ssl/ssl.ds.cn.cer
-----BEGIN CERTIFICATE-----
Miiesdccapigawibagitnaaaaaxejq4f/fazeqaaaaaabtanbgkqhkig9w0baquf
......
-----END CERTIFICATE-----

[Email protected] ~]# Cat/usr/local/httpd/conf/ssl/ssl.ds.cn.key
-----BEGIN RSA PRIVATE KEY-----
proc-type:4,encrypted
dek-info:des-ede3-cbc,153eeba6ac815504

3ckvvp3qa1a569awfjjjjcjgpsomuo7txqnpauujn5ph55eaqhabbhpwqp9m8m6+
......
-----END RSA PRIVATE KEY-----
[Email protected] ~]#

Configuring the Shibboleth Module

[Email protected] ~]# cat/usr/local/httpd/conf/extra/shibboleth.conf
#https://wiki.shibboleth.net/confluence/display/shib2/nativesplinuxsourcebuild
Usecanonicalname on

Configure SSL Virtual Host
[Email protected] ~]# delsc/usr/local/httpd/conf/extra/httpd-ssl.conf
Listen 443
Sslciphersuite high:medium:!anull:! MD5
Sslpassphrasedialog Builtin
Sslsessioncache "Shmcb:/usr/local/httpd/logs/ssl_scache (512000)"
Sslsessioncachetimeout 300
<virtualhost ssl.ds.cn:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerName ssl.ds.cn:443
ServerAdmin [email protected]
Errorlog "/usr/local/httpd/logs/ssl.ds.cn_error_log"
Transferlog "/usr/local/httpd/logs/ssl.ds.cn_access_log"
Sslengine on
Sslcertificatefile "/usr/local/httpd/conf/ssl/ssl.ds.cn.cer"
Sslcertificatekeyfile "/usr/local/httpd/conf/ssl/ssl.ds.cn.key"
Sslcertificatechainfile "/usr/local/httpd/conf/ssl/ds-ds-ca.cer"
Include/opt/shibboleth-sp/etc/shibboleth/apache24.config
<Location/admin>
AuthType Shibboleth
Shibrequestsetting requiresession 1
Require Valid-user
Shibrequiresession on
Shibuseheaders on
</Location>
<filesmatch "\. (cgi|shtml|phtml|php) $ ">
Ssloptions +stdenvvars
</FilesMatch>
<directory "/usr/local/httpd/cgi-bin" >
Ssloptions +stdenvvars
</Directory>
Browsermatch "MSIE [2-5]" \
Nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Customlog "/usr/local/httpd/logs/ssl_request_log" \
"%t%h%{ssl_protocol}x%{ssl_cipher}x \"%r\ "%b"
</VirtualHost>
[Email protected] ~]#

4. Start SHIBD,/OPT/SHIBBOLETH-SP/SBIN/SHIBD

To configure server A, add trusted parties to trust.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;border-bottom:0px;border-left:0px; " Border= "0" alt= "image" Src= "http://s3.51cto.com/wyfs02/M00/54/40/wKioL1R9VBXx3xcRAAF5M_CQtJI685.jpg" height= "491" />

The key is that the "federated metadata of the relying party" as shown must be the correct URL, and the test will pass.

Create a claim rule

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;border-bottom:0px;border-left:0px; " Border= "0" alt= "image" Src= "http://s3.51cto.com/wyfs02/M01/54/40/wKioL1R9VBWQvQ9HAAD3r3imuOw142.jpg" height= "472" />

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;border-bottom:0px;border-left:0px; " Border= "0" alt= "image" Src= "http://s3.51cto.com/wyfs02/M01/54/40/wKioL1R9VBXxDMTBAAFL-cabbzU603.jpg" height= "427" />

The "Incoming claim type" can be arbitrarily specified.

Configure Server B

1. Start SHIBD

2. Start httpd

3. Test validation

1) access root (i.e. https://ssl.ds.cn/), no authentication required, as shown in

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;border-bottom:0px;border-left:0px; " Border= "0" alt= "image" Src= "http://s3.51cto.com/wyfs02/M02/54/40/wKioL1R9VBajZ66pAABZaapMBvs304.jpg" height= "173" />

2) access to a specific directory (that is, https://ssl.ds.cn/admin/) requires authentication, enter the user name and password of the domain user to pass authentication, as shown in

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;border-bottom:0px;border-left:0px; " Border= "0" alt= "image" Src= "http://s3.51cto.com/wyfs02/M00/54/40/wKioL1R9VBaAHgdhAACXHs4VwQs798.jpg" height= "246" />

3) Verify that the correct page display appears after passing, as shown in

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;border-bottom:0px;border-left:0px; " Border= "0" alt= "image" Src= "http://s3.51cto.com/wyfs02/M01/54/40/wKioL1R9VBaief5vAAByjh3iq8Q729.jpg" height= "223" />

The configuration is now complete and the application can be developed according to the Shibboleth manual.

This article is from "Communication, My Favorites" blog, please make sure to keep this source http://dgd2010.blog.51cto.com/1539422/1585428

Microsoft Adfs+shibboleth Configure federated authentication + Single Sign-on service